Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-03-28 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Oh Yeah....I forgot about that

Published: 2006-03-28
Last Updated: 2006-03-29 00:10:24 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
An email we got today from John Moser sparked an idea for something that I thought was a great lesson learned.  So I wanted to share it with everyone.  John was participating in the collegiate cyber defense competition.   If you have never participated in capture the flag competition or a red/blue team activity, you are missing out.  You really should try to participate in one cause its a great experience and really drives lessons learned home.  Not to mention that it is an absolute blast!

What really caught my eye was this from John:  "This doesn't help when you have a full default EVERYTHING install of Fedora Core 3 and 4, Win2000, and Win2k3.  It particularly doesn't help when you don't know what EVERYTHING is and how EVERYTHING is configured, because EVERYTHING becomes an entry point for hackers who know how to exploit blatant configuration errors."

In another email exchange he said:  "What I didn't know was how every inch of every system on my network was configured. "

So by now, you probably know what I want to talk about.  John nailed it.  You can shut all the doors and windows and lock them tight, but if you forget there's a window in the basement that was secure when you looked at it a year ago and hasn't been checked since....bad things can happen.  I don't think it can be emphasized enough that you have you know your systems.  There are three things that came out of this for me and I see as issues.
  1. You can't secure something you don't know or understand.  If you don't understand what you are dealing with then you won't know what you need to do.  Do you want a surgeon operating on your brain when they specialize in orthopedic surgery?  I mean he/she could follow a manual and might get it 80% correct.  The same care should be taken with our network.  When you start installing things you don't understand or know how they work ... you might get it 80% correct. But can you afford that?  From John:  "Let's all remember today that no matter how tight your security, if you can't actually run your box you're owned."

  2. Let's say you know your system and your applications. Now you can't secure something and forget about it.  All applications need TLC.   There's bound to be a patch or upgrade that needs to happen. Many times its the small things such as a default password that get forgotten (or a weak one that doesn't get changed) or a service that doesn't get turned off.  All a hacker needs is just a small hand hold and then go from there.  Its easy to overlook the small stuff.  Constantly watching networks and checking things are a must.  

  3. The unknown.  What do I mean by this?  Well, one night Mr. Helpful SysAdmin installs something on the network that someone claimed they needed and you didn't know they put it there.  Someone installs something, makes a change etc and it doesn't get documented and/or approved.  This is something that I know has happened to everyone at some point in time.  Now good policy and procedures can help alleviate that, but we'll talk about that in a minute.  If you don't know something is there, you can't secure it and you don't know what kind of security risk its created on your network.
All in all, network security is a full time job and its still a lot of work to do it right.  There is so much to learn and attention to detail is key.  You have to be meticulous in what you are doing because the hackers who want in are being just that.  Here is another quote from John's email I would like to share:  "The pen-testers told us in the end that even some of the really secure networks they've seen sometimes pop up some minor configuration error and they know, at the end of the day, what happened to us could happen to them."  It just takes a little small weakness to turn it into something big.

Configuration management is a key piece to making sure this doesn't happen.  Documenting what is being done and what is on a system is so important especially on a large network where there are many fingers on the keyboards.  You have to stay on top of it all the time.  It's also important to realize that mistakes will be made and that is just a fact.  Hopefully they will be caught early.  Learn from them!

Stay on top of your skills and understand what it is that is going on your network.  Keep in mind that if you don't someone else out there probably is.

Lorna J. Hutcheson
CACI
Keywords:
0 comment(s)

Temporary Patches for createTextRange Vulnerability

Published: 2006-03-28
Last Updated: 2006-03-28 18:26:03 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
  http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.

At this point, we do not recommend applying this temporary patch for a number of reasons:
  • The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
  • We have not been able to vet the patch. However, source code is available for the eEye and the Detmina  patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)
  • Exploit attempts are so far limited. But this could change at any time.
Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft.

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

Please let us know about issues (or successful installs) of either patch. We will summarize issues here.

Keywords:
0 comment(s)
Diary Archives